CCNA Information Security Risk Management Questions

20 of 95 questions · Page 2/2 · Information Security Risk Management · Answers revealed

76
Multi-Selectmedium

Which THREE of the following are typical steps in a qualitative risk assessment?

Select 3 answers
A.Estimate likelihood and impact using rating scales
B.Prioritize risks based on risk ratings
C.Identify assets and threats
D.Calculate annualized loss expectancy (ALE)
E.Assign monetary values to impact
AnswersA, B, C

Rating scales (e.g., 1-5) are qualitative.

Why this answer

Qualitative assessment uses rating scales instead of monetary values. Identifying assets and threats, estimating likelihood and impact using scales, and prioritizing based on risk ratings are steps. Assigning monetary values and calculating ALE are quantitative steps.

77
MCQmedium

A company is developing a risk treatment plan for a set of identified risks. One risk involves a third-party vendor that hosts critical data. The risk owner recommends accepting the risk. Which of the following conditions would BEST support this decision?

A.The organization has no compensating controls in place
B.The cost to mitigate is higher than the potential financial loss from a breach
C.The risk is within the organization's risk appetite but the business impact is high
D.The vendor has a history of security incidents
AnswerB

If mitigation costs outweigh the expected loss, acceptance is a sound business decision.

Why this answer

Option A is correct because accepting risk is justified when the cost of mitigation exceeds the potential loss. Option B is wrong because high vulnerability increases risk, making acceptance less appropriate. Option C is wrong because lack of controls increases inherent risk.

Option D is wrong because business impact is a factor, but if mitigation cost is higher, acceptance may be appropriate.

78
Multi-Selectmedium

Which THREE of the following are valid risk treatment options according to ISO 31000? (Select exactly three.)

Select 3 answers
A.Risk elimination
B.Risk transfer (sharing)
C.Risk avoidance
D.Risk mitigation (reduction)
E.Risk deferral
AnswersB, C, D

Transfer involves sharing risk with another party, e.g., insurance.

Why this answer

Option B is correct because ISO 31000 defines risk transfer (sharing) as a valid risk treatment option, where the risk is shifted to another party, such as through insurance or outsourcing. This is a standard approach in information security risk management to reduce the financial impact of a risk event.

Exam trap

ISACA often tests the distinction between 'risk elimination' and 'risk avoidance' to trap candidates who confuse the two, as elimination implies complete removal of the risk source, which is rarely achievable in information security, while avoidance means not engaging in the risky activity at all.

79
Multi-Selectmedium

Which of the following are key components of an Information Security Risk Management program? (Select TWO.)

Select 2 answers
A.Establishing a risk management framework
B.Conducting vulnerability scanning
C.Performing risk assessment and treatment
D.Performing internal audits
AnswersA, C

Why this answer

A is correct because establishing a risk management framework is the foundational component of an Information Security Risk Management program. It defines the policies, procedures, and governance structure for identifying, assessing, and treating risks, aligning with standards like ISO 31000 or NIST SP 800-39. Without a framework, risk management activities lack consistency and accountability.

Exam trap

The trap here is that candidates confuse operational security activities (like vulnerability scanning or internal audits) with the strategic components of a risk management program, which are the framework and the risk assessment/treatment cycle.

Why the other options are wrong

B

Vulnerability scanning is a technical control, not a program component.

D

Audit is independent assurance, not part of the risk management program itself.

80
Matchingmedium

Match each business continuity term to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Maximum time to restore a process after disruption

Maximum age of data that must be recovered

Plan to maintain business functions during disruption

Plan to restore IT infrastructure after disaster

Process to identify critical functions and dependencies

Why these pairings

Business continuity and disaster recovery terms.

81
MCQmedium

Which of the following is the PRIMARY reason for an information security manager to integrate risk management into the organization's enterprise risk management (ERM) framework?

A.To ensure compliance with regulatory requirements
B.To provide a consistent risk reporting structure across the enterprise
C.To support informed decision-making by aligning security risks with business objectives
D.To reduce the cost of risk management through shared resources
AnswerC

Why this answer

Integrating information security risk into ERM ensures that security risks are considered alongside business risks, enabling better prioritization and resource allocation. This alignment helps the organization make informed decisions that balance risk appetite and business objectives. The primary driver is to support strategic decision-making, not just compliance or reporting.

Exam trap

Candidates may choose 'To comply with regulatory requirements' because regulations often mandate risk management, but the primary reason is strategic alignment with business goals, not compliance.

Why the other options are wrong

A

Compliance is a benefit but not the primary reason; integration is about strategic alignment.

B

Consistent reporting is a result of integration, not the primary reason.

D

Cost reduction is a potential benefit but not the primary strategic reason.

82
Multi-Selecthard

An organization has a high residual risk after implementing all feasible controls. According to CISM best practices, which of the following should the information security manager do? (Select TWO.)

Select 2 answers
A.Escalate to senior management for risk acceptance
B.Document the risk in the risk register and accept it
C.Implement additional compensating controls
D.Immediately perform a new risk assessment
AnswersA, C

Why this answer

When residual risk remains high after all feasible controls are implemented, the information security manager should escalate the risk to senior management for formal risk acceptance (Option A). This aligns with CISM best practices, as senior management holds the authority to accept risks that exceed the organization's risk appetite. Additionally, implementing compensating controls (Option C) can further reduce residual risk to an acceptable level, even if primary controls are already in place.

Exam trap

The trap here is that candidates confuse 'documenting and accepting' (Option B) as sufficient, overlooking the CISM requirement that risk acceptance must be formally escalated to and approved by senior management, not just recorded by the security manager.

Why the other options are wrong

B

Documentation alone is not sufficient; escalation is needed for high residual risk.

D

A new assessment may be done later, but the immediate action is to escalate and consider additional controls.

83
Matchingmedium

Match each cryptographic term to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Uses same key for encryption and decryption

Uses public/private key pair

One-way transformation producing fixed-size digest

Provides authenticity and non-repudiation

Framework managing digital certificates and keys

Why these pairings

Cryptography concepts relevant to CISM.

84
MCQeasy

Based on the exhibit, what is the MOST appropriate next step for the information security manager?

A.Recommend implementing multifactor authentication to reduce the risk
B.Accept the risk because the likelihood is only moderate
C.Reassess the risk with a higher risk appetite threshold
D.Transfer the risk by purchasing cyber insurance
AnswerA

Additional controls can lower the likelihood or impact, bringing the risk within appetite.

Why this answer

Multifactor authentication (MFA) directly mitigates the most likely attack vector for the identified risk—credential theft or brute-force attacks—by requiring a second factor (e.g., a one-time password from a hardware token or biometric) in addition to the password. Since the exhibit (not shown) indicates a moderate likelihood but high impact, implementing MFA reduces the likelihood to a more acceptable level without requiring a change in risk appetite or transferring the risk. This aligns with the CISM principle of applying cost-effective controls to reduce residual risk to within the organization's risk tolerance.

Exam trap

ISACA often tests the misconception that risk acceptance is a valid default response when likelihood is moderate, but the trap here is that acceptance requires the risk to be within the risk appetite after all cost-effective controls have been considered—not before.

How to eliminate wrong answers

Option B is wrong because accepting a risk with only moderate likelihood ignores the potential high impact; risk acceptance should only occur when the residual risk is within the organization's risk appetite after controls are applied, not as a default action. Option C is wrong because reassessing with a higher risk appetite threshold is a reactive and inappropriate approach—it artificially lowers the perceived risk rather than addressing the actual vulnerability, which violates the principle of risk management. Option D is wrong because transferring the risk via cyber insurance does not reduce the likelihood or impact of the security incident; it only provides financial compensation after a breach, and the organization still suffers operational and reputational damage, making it a less appropriate next step than implementing a preventive control like MFA.

85
MCQmedium

A company is implementing a risk management program and needs to define risk appetite. Which of the following is the MOST appropriate statement of risk appetite for a financial institution?

A.The organization will mitigate all risks to a low level
B.The organization will not invest in high-risk projects
C.The organization accepts no level of risk
D.The organization will accept up to $5M in potential loss for operational risks
AnswerD

Quantified risk appetite supports consistent decision-making.

Why this answer

Option B is correct because it sets a quantifiable tolerance for specific risk types. Option A is wrong because zero tolerance is unrealistic. Option C is wrong because it defines risk tolerance in a specific area.

Option D is wrong because it is a risk treatment decision, not appetite statement.

86
Multi-Selecteasy

Which TWO of the following are risk treatment strategies as defined in ISO 27005?

Select 2 answers
A.Risk analysis
B.Risk monitoring
C.Risk avoidance
D.Risk transfer
E.Risk communication
AnswersC, D

Avoidance is a risk treatment strategy.

Why this answer

Risk avoidance and risk transfer are standard treatment strategies. Risk analysis, risk communication, and risk monitoring are not treatment strategies but are part of the risk management process.

87
Multi-Selectmedium

Which TWO of the following are valid risk treatment options according to ISO 31000? (Choose two.)

Select 2 answers
A.Risk avoidance
B.Risk measurement
C.Risk identification
D.Risk communication
E.Risk retention
AnswersA, E

Avoiding the risk by not undertaking the activity.

Why this answer

Options B and C are correct: risk avoidance and risk retention (acceptance) are treatment options. Option A is incorrect because risk measurement is not treatment. Option D is incorrect because risk identification is part of assessment.

Option E is incorrect because risk communication is ongoing.

88
MCQhard

A risk manager is establishing risk appetite for a new product line. Which of the following best describes the relationship between risk appetite and risk tolerance?

A.Risk appetite and tolerance are interchangeable terms
B.Risk appetite is set by regulatory bodies; tolerance is set by the board
C.Risk appetite is the specific limit for each risk; tolerance is the overall willingness to accept risk
D.Risk appetite is the general approach to risk; tolerance defines acceptable variation in performance
AnswerD

This correctly distinguishes between appetite and tolerance.

Why this answer

Risk appetite is the general approach to risk at the enterprise level, while risk tolerance defines the acceptable variation in performance around objectives. Specific limits are part of tolerance, not appetite. Regulatory bodies may set constraints but do not define appetite.

89
MCQhard

A security manager is evaluating risk treatment options for a high-risk vulnerability. Drag each option to the correct risk treatment category. Options: - Apply a vendor patch - Purchase cyber insurance - Decommission the system - Accept the risk with formal sign-off - Install a WAF (Web Application Firewall) Categories: - Mitigate - Transfer - Avoid - Accept

Answer options not yet available.

Why this answer

Risk mitigation reduces the likelihood or impact: applying a patch and installing a WAF are mitigation. Transfer shifts risk to a third party: cyber insurance. Avoid eliminates the risk by removing the system: decommissioning.

Acceptance is formal acknowledgment: accept with sign-off.

Exam trap

Candidates may misclassify insurance as mitigation because it reduces financial impact, but it is transfer. Also, decommissioning is clearly avoidance, not mitigation.

90
MCQeasy

Which of the following best describes the difference between risk appetite and risk tolerance?

A.Risk appetite is the maximum risk tolerance
B.Risk tolerance is the total risk, and risk appetite is the residual risk
C.Risk appetite is the amount of risk an organization is willing to accept, while risk tolerance is the acceptable variation around that appetite for specific objectives
D.Risk appetite is qualitative, and risk tolerance is quantitative
AnswerC

This is the standard definition.

Why this answer

Option A is correct because risk appetite is the broad willingness to accept risk, while risk tolerance is the acceptable deviation around specific objectives. Option B is wrong because it reverses the definitions. Option C is wrong because both are quantitative or qualitative.

Option D is wrong because tolerance is not a subset but a measurable boundary.

91
MCQhard

A technology startup has grown rapidly and its risk management practices are informal. The CEO has a very high risk appetite and frequently overrides risk management recommendations to accelerate product launches. After a serious data breach involving customer payment information, the board of directors demands a formal risk management program. The risk manager is tasked with changing the risk culture. The startup has limited resources but must meet contractual obligations to protect customer data. What is the most effective first step?

A.Develop and communicate a revised risk appetite statement approved by the board
B.Outsource all information security operations to a managed service provider
C.Immediately deploy a suite of technical security controls
D.Recommend the termination of the CEO for previous risk decisions
AnswerA

Correct; this aligns the organization's risk tolerance and guides behavior.

Why this answer

Option D is correct because developing and communicating a revised risk appetite statement aligned with the board's risk tolerance sets the foundation for a risk-aware culture. It provides clear guidance for decision-making. Option A is insufficient without a cultural shift; technical controls may be undermined.

Option B is drastic and not directly a risk management action. Option C transfers responsibility but does not change internal culture or ensure compliance.

92
MCQhard

A multinational corporation is expanding its cloud infrastructure across multiple regions. The risk team has identified that the shared responsibility model for cloud security is not well understood by business units. After a recent audit, several misconfigurations led to a data exposure incident that affected one region. The CISO wants to implement a risk management program that ensures consistent control across all regions. As the risk manager, what is the most effective course of action to reduce the risk of similar incidents?

A.Transfer the risk to cloud providers by renegotiating contracts to include liability clauses.
B.Develop and enforce cloud security baseline standards and conduct regular compliance audits.
C.Implement a cloud access security broker (CASB) to monitor all cloud activities centrally.
D.Accept the risk as inherent to cloud adoption and focus resources on incident response.
AnswerB

Standards and audits address the root cause by ensuring consistent understanding and adherence.

Why this answer

Developing and enforcing cloud security baseline standards and conducting regular compliance audits directly address the root cause of misconfigurations due to lack of understanding. A CASB provides monitoring but does not enforce standards. Transferring risk to cloud providers shifts liability but does not prevent misconfigurations.

Acceptance with focus on incident response is reactive and does not reduce likelihood.

93
MCQhard

During a risk assessment, an organization identifies a critical vulnerability in a legacy system that cannot be patched. The system's availability is crucial for business operations. Which of the following risk treatment strategies is MOST appropriate?

A.Risk mitigation by implementing compensating controls
B.Risk acceptance with formal sign-off by senior management
C.Risk transfer through cyber insurance
D.Risk avoidance by decommissioning the system
AnswerB

Why this answer

When a critical vulnerability cannot be patched and the system must remain available for business operations, risk acceptance is the most appropriate strategy because it formally acknowledges the residual risk after all feasible controls have been considered. Senior management sign-off is required because the risk exceeds the organization's risk appetite, and acceptance documents the decision to operate with the known vulnerability. This approach aligns with the CISM principle that risk acceptance is a valid treatment when the cost of other treatments exceeds the benefit or when no other treatment is feasible.

Exam trap

The trap here is that candidates often choose risk mitigation (compensating controls) because it seems proactive, but the question explicitly states the vulnerability 'cannot be patched' and the system is 'crucial for business operations,' making formal acceptance by senior management the required CISM answer when residual risk remains after all feasible controls.

Why the other options are wrong

A

Compensating controls are a form of mitigation, but the question says the system cannot be patched; however, compensating controls can still reduce risk. The key is that the vulnerability cannot be fixed, so mitigation may not be fully effective. The best answer is acceptance if no controls are cost-effective.

C

Insurance transfers financial risk but not operational risk; the vulnerability remains.

D

Decommissioning would avoid risk but is not acceptable because the system is critical.

94
MCQmedium

A risk manager is evaluating a control that reduces the likelihood of a threat from high to low. The cost of the control is $100,000 annually. The expected loss without the control is $500,000 per year. Which of the following should the risk manager recommend?

A.Avoid the risk by discontinuing the process
B.Transfer the risk through insurance
C.Implement the control
D.Accept the risk
AnswerC

Net benefit: $400,000 loss reduction minus $100,000 cost = $300,000 savings.

Why this answer

Option B is correct because the control reduces loss to $100,000, saving $400,000, but costs $100,000, net benefit $300,000. Option A is wrong because controlling may be cost-effective. Option C is wrong because transfer might be more expensive.

Option D is wrong because avoidance may not be necessary.

95
MCQhard

An organization uses the ISO 31000 risk management framework. During the risk evaluation phase, it determines that a certain risk has a low likelihood but very high impact. The organization's risk appetite is moderate. Which of the following is the MOST appropriate risk treatment decision?

A.Accept the risk due to low likelihood
B.Avoid the risk by discontinuing the activity that generates it
C.Transfer the risk through insurance
D.Mitigate the risk by implementing controls to reduce impact
AnswerD

Mitigation reduces the impact to an acceptable level, aligning with moderate risk appetite.

Why this answer

Option A is correct because even low likelihood risks with high impact may need mitigation to align with moderate risk appetite. Option B is wrong because acceptance is only appropriate if risk is within appetite. Option C is wrong because avoidance is extreme unless no other controls exist.

Option D is wrong because transfer may not fully address the impact.

← PreviousPage 2 of 2 · 95 questions total

Ready to test yourself?

Try a timed practice session using only Information Security Risk Management questions.